Re: [PATCH] media: rp1-cfe: Fix double-free on video device re-registration

[xiaolei wang]

On 2/11/26 16:15, Laurent Pinchart wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> Hi Xiaolei,
>
> On Wed, Feb 11, 2026 at 11:45:01AM +0800, Xiaolei Wang wrote:
> > When a sensor driver is unloaded and reloaded (e.g., rmmod/insmod ov5647),
> > the cfe_async_complete callback is invoked again, attempting to re-register
> > video nodes that are still registered. This causes multiple issues:
> >
> > 1. KASAN double-free in kfree_const when dev_set_name tries to free the
> >     kobject name that was already freed during video_unregister_device
> > 2. "tried to init an initialized object" warnings because the video_device
> >     kobject is re-initialized before being fully released
> >
> > Fix this by:
> > - Adding a check in cfe_probe_complete() to skip nodes already in
> >    NODE_REGISTERED state, preventing duplicate registration attempts
> > - Implementing cfe_async_unbind() callback to properly clear the
> >    source_sd pointer when the subdevice is unbound
> I think a better fix would be to register video nodes at probe time, not
> when sensors are bound.
Hi Laurent,

Thank you for the feedback and suggestion. You're right that registering
video nodes at probe time would be a cleaner approach. I'll explore this
method and implement it in the next version.

Best regards,
Xiaolei
> > Signed-off-by: Xiaolei Wang <xiaolei.wang@xxxxxxxxxxxxx>
> > ---
> >   drivers/media/platform/raspberrypi/rp1-cfe/cfe.c | 14 ++++++++++++++
> >   1 file changed, 14 insertions(+)
> >
> > diff --git a/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c b/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c
> > index 62dca76b468d..d3813c79316d 100644
> > --- a/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c
> > +++ b/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c
> > @@ -2152,6 +2152,9 @@ static int cfe_probe_complete(struct cfe_device *cfe)
> >        cfe->v4l2_dev.notify = cfe_notify;
> >
> >        for (unsigned int i = 0; i < NUM_NODES; i++) {
> > +             if (check_state(cfe, NODE_REGISTERED, i))
> > +                     continue;
> > +
> >                ret = cfe_register_node(cfe, i);
> >                if (ret) {
> >                        cfe_err(cfe, "Unable to register video node %u.\n", i);
> > @@ -2204,8 +2207,19 @@ static int cfe_async_complete(struct v4l2_async_notifier *notifier)
> >        return cfe_probe_complete(cfe);
> >   }
> >
> > +static void cfe_async_unbind(struct v4l2_async_notifier *notifier,
> > +                          struct v4l2_subdev *subdev,
> > +                          struct v4l2_async_connection *asd)
> > +{
> > +     struct cfe_device *cfe = to_cfe_device(notifier->v4l2_dev);
> > +
> > +     cfe->source_sd = NULL;
> > +     cfe_info(cfe, "Unbinding subdev %s\n", subdev->name);
> > +}
> > +
> >   static const struct v4l2_async_notifier_operations cfe_async_ops = {
> >        .bound = cfe_async_bound,
> > +     .unbind = cfe_async_unbind,
> >        .complete = cfe_async_complete,
> >   };
> --
> Regards,
>
> Laurent Pinchart